ldap/servers - 389-commits - Fedora mailing-lists

9 Nov 2011

ldap/servers/slapd/connection.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
New commits:
commit 55106fe77d2c834b0ba866d440bb8ce08c1d01ff
Author: Rich Megginson rmeggins@redhat.com
Date:   Wed Nov 9 13:05:39 2011 -0700
Bug 751645 - crash when simple paged fails to send entry to client
https://bugzilla.redhat.com/show_bug.cgi?id=751645
    Resolves: bug 751645
    Bug Description: crash when simple paged fails to send entry to client
    Reviewed by: nkinder,nhosoi (Thanks!)
    Branch: master
    Fix Description: The crash happens when the server is sending back the paged
    result entry responses to the client and there is a problem with the
    connection e.g. the client closes the socket while the server is doing the
    PR_Send/PR_Write on the client socket.  If the reader thread in
    connection_read_operation() sees the close first, it will call
    disconnect_server() to disconnect the socket and cleanup the pagedresult
    structure back_search_result_set in the Connection*.  The problem with this
    is that it leaves a dangling reference to the pagedresult structures in the
    writer thread in ldbm_back_next_search_entry_ext.  When that code sees the
    error from the write, it will also attempt to free the search result, and
    will get an invalid or double free error.  The solution is to not do the
    pagedresults_cleanup in disconnect_server(), but instead allow the writer
    thread to do the cleanup safely.  The connection_cleanup() function will
    call pagedresults_cleanup() to avoid any memory leaks.  The only thing the
    disconnect_server() function needs to do is to reset the c_timelimit to
    avoid the "slapd stops responding" and "simple paged results timeout"
    problems.
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: no

diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index b95759a..27e4fe1 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -2766,9 +2766,7 @@ disconnect_server_nomutex( Connection *conn, PRUint64 opconnid, int opid, PRErro
conn->c_gettingber = 0;
    connection_abandon_operations( conn );
-
-	pagedresults_cleanup(conn, 0 /* already locked */); /* In case the connection is on pagedresult.
-	                            Better to call it after the op is abandened. */
+	conn->c_timelimit = 0; /* needed here to ensure simple paged results timeout properly and don't impact subsequent ops */
if (! config_check_referral_mode()) {
        /*

    